Aaron Swartz and the law

Aaron Swartz, who committed suicide last week at age 26, leaves behind quite a legacy for someone so young. He was an Internet activist dedicated to promoting the free flow of information online, which made him a hero to many. His most recent milestone was the launch of Demand Progress, a grass-roots lobbying group that helped defeat the Hollywood-backed anti-piracy bills known by the acronyms SOPA and PIPA.

His eagerness to “liberate” information that others had locked behind pay walls,however, contributed to his undoing. In 2011, a federal grand jury indicted Swartz for allegedly gaining unauthorized access to computers operated by the Massachusetts Institute of Technology and to JSTOR, an online repository of academic research that MIT paid to make available on campus. The indictment accused Swartz of downloading 4.8 million journal articles — a third of which carried a fee — in order to redistribute them online for free.

Swartz’s death may add to his legacy by prodding Congress to narrow the scope of the two laws that federal prosecutors were using against him: the Computer Fraud and Abuse Act of 1986 and the wire fraud provisions of the Communications Act Amendments of 1952. The government has been using these statutes to prosecute people for an expanding range of actions online, including cyber bullying and using a former employer’s website to recruit customers.

Those prosecutions have alarmed civil libertarians, who contend that the government’s interpretation of the law exposes Internet users to prosecution for simply defying the rules that websites and services unilaterally impose on them. Swartz’s prosecution, his supporters say, threatened him with prison time for allegedly committing a crime that caused no harm to society.

The 1986 act bars people from accessing networked computers without authorization or to obtain information the user isn’t authorized to obtain. But how do you define the boundaries of what is authorized? Some prosecutors have argued that unauthorized access constitutes any use of a site or service that doesn’t comply with the site’s terms of service or acceptable use policy. That interpretation leaves Internet users subject to the whims of site operators, who can change their terms and policies without warning — and without the public noticing what’s been done.

As Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, recently wrote: “‘Authorization’ gives great power to the computer system owner. That entity may unilaterally decide what is right and wrong on their system, and the [Computer Fraud and Abuse Act] brings the full force of federal law behind it. Yet outside of the computer context, crimes punish social wrongs, not merely offenses to personal or business preferences.”

MIT gave campus visitors unbridled access to its wireless network and JSTOR. The case against Swartz was not that he wasn’t authorized to download academic articles but that he downloaded them too quickly, in violation of JSTOR’s policies.

Although Swartz made peace with JSTOR and didn’t distribute the downloaded articles, prosecutors went after him anyway, filing charges that could have resulted in a 35-year prison term and a $1-million fine. His family says the feds’ intimidation — prosecutors reportedly insisted that Swartz go to prison as part of any plea deal — was a key factor in his suicide. (Another factor, friends say, was the depression he’d suffered from since he was a teen.)

Sen. Patrick Leahy (D-Vt.) has tried to narrow the scope of the computer fraud act to exclude actions based solely on violations of a site’s terms or policies, but he has been stymied by opposition from the Justice Department. This week, Rep. Zoe Lofgren (D-San Jose) circulated a draft bill aimed at solving the same problem. Dubbed Aaron’s Law, it would bar prosecutors from bringing computer or wire fraud cases based on violations of the terms or policies imposed by a website, Internet service provider or employer if such a violation was the “sole basis” for determining that access was unauthorized. In other words, an Internet user would have to do something more substantial and fraudulent, such as stealing a password or breaking through electronic locks, to be subject to prosecution.

Had Lofgren’s measure been law two years ago, it might not have saved Swartz from prosecution. The indictment accuses him of doing more than just downloading more articles than permitted under the terms of service; it also alleges that he changed computers, disguised his computer’s identity and even snuck a laptop into a closet on campus to circumvent repeated efforts by JSTOR and MIT to stop the downloading. Regardless, Lofgren’s measure would impose much-needed restraint on prosecutors and focus the computer and wire fraud laws on real cases of destructive hacking and online fraud.